[closed] Per-backend-user password salting
Posted: Tue Sep 20, 2011 8:35 am
It's good that password salting is coming for backend users.
I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).
I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).
Worth doing generally?
I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).
I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).
Worth doing generally?